warzonerat | ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44

Analysis

max time kernel
185s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe
Size

708KB
MD5

ecb6e0b8c1c969fb81be1b5d52ea4bab
SHA1

aa7d5a7a84f7a2b24d5177bfc147561964d0a250
SHA256

ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44
SHA512

4bb4313c268de141113f70a485b4af341ba4130329c4a9d1c734b2a1e0982e4f5da6097765bc7352bd5f7cf34f48b1b68f62d996144c5c7bd3153c0533d45b48
SSDEEP

12288:NGcpdQGrhJFun+3L04NtfzaAixx2L6sqyHdUPsjIPF81DLAIM:ND2Grg+I4Ntfzay3UMiFay

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

bedahogs.100chickens.me:6093

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4508-155-0x0000000000400000-0x00000000004B6000-memory.dmp	warzonerat
behavioral2/memory/4508-156-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

pid	Process
3224	Spotify.scr
4508	Spotify.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Spotify\\Spotify.vbs -VC"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Foxmail = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Spotify\\Spotify.scr"	Spotify.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3224 set thread context of 4508	3224	Spotify.scr	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000137"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2941533002"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376749116"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000137"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CFF22055-723C-11ED-BF5F-7EADEF22860F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000016e93106aa15a407e63285c41cb9bc12cc4d24d6a894b308cbafeb2edd6f2796000000000e800000000200002000000069d332401caa10fb1a64b67deafca1a5f8dd412e36d805124af7f0da5b1eb28c200000005a78df2e073872e8fce850d0c2f2e86274469da80156926c4fbafc6e55c9a36b4000000001a72a5d8a40593a48c3f4c32834532d38fb0135e31aded70bf7cc5bbb238172ce66a48cfdc3cc3d48f22d0b70a98f4e63b0b584da025d4a7940216d66f5dadf	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4062f2ae4906d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2941533002"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500c8daa4906d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb00000000020000000000106600000001000020000000303e914433b120440decc76b6fff52b595c9992a5bf9da22bddfbf9e1ee816e1000000000e80000000020000200000000bb420644e9ea45321f9cad2a67fb9d0fb29cde70a58ae86823e83ce32fb8cd620000000c1223fa9de4e4fe3d945af9871dbd2e3f560cff5f8123e967f2336108bdf424940000000d591e76bcf47eba77f23d5076b3c8dcb2b20cfdc89bbf9cf8a27cf1e0aeb08ab5154dc81b6e50f02fbfd1930c7d4ae3743e1675624438d7471ea6d745c0a938c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1036	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe
1036	iexplore.exe
1036	iexplore.exe
3224	Spotify.scr
4192	IEXPLORE.EXE
4192	IEXPLORE.EXE
4192	IEXPLORE.EXE
4192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1036	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	85
PID 4600 wrote to memory of 1036	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	85
PID 4600 wrote to memory of 1784	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	86
PID 4600 wrote to memory of 1784	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	86
PID 4600 wrote to memory of 1784	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	86
PID 1036 wrote to memory of 4192	1036	iexplore.exe	87
PID 1036 wrote to memory of 4192	1036	iexplore.exe	87
PID 1036 wrote to memory of 4192	1036	iexplore.exe	87
PID 4600 wrote to memory of 3224	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	88
PID 4600 wrote to memory of 3224	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	88
PID 4600 wrote to memory of 3224	4600	ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe	88
PID 3224 wrote to memory of 4508	3224	Spotify.scr	91
PID 3224 wrote to memory of 4508	3224	Spotify.scr	91
PID 3224 wrote to memory of 4508	3224	Spotify.scr	91
PID 4508 wrote to memory of 364	4508	Spotify.scr	94
PID 4508 wrote to memory of 364	4508	Spotify.scr	94
PID 4508 wrote to memory of 364	4508	Spotify.scr	94
PID 4508 wrote to memory of 364	4508	Spotify.scr	94
PID 4508 wrote to memory of 364	4508	Spotify.scr	94

C:\Users\Admin\AppData\Local\Temp\ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe
"C:\Users\Admin\AppData\Local\Temp\ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\REQUEST-QUOTATION.GIF
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4192
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.vbs"
  2⤵
  - Adds Run key to start application
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.scr
  "C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.scr
    C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.scr" /S
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REQUEST-QUOTATION.GIF

Filesize
11KB

MD5
278956f711ed61cbd3c2823479ff8d1f

SHA1
6c13dc9edbc8d32785161a656416ec05e90b6012

SHA256
cab4061a6c121e1e6223c87c53b016fa0087236453a6b1e449efbf6571a19c92

SHA512
29874611477a5c704d2a911e384221542cb27e6b1d887be99d95fba97d50e5151f8007e1df96052595df5ef53367659b5191c2e0ea13bfb216f76afbd473f489

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.scr

Filesize
708KB

MD5
ecb6e0b8c1c969fb81be1b5d52ea4bab

SHA1
aa7d5a7a84f7a2b24d5177bfc147561964d0a250

SHA256
ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44

SHA512
4bb4313c268de141113f70a485b4af341ba4130329c4a9d1c734b2a1e0982e4f5da6097765bc7352bd5f7cf34f48b1b68f62d996144c5c7bd3153c0533d45b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.scr

Filesize
708KB

MD5
ecb6e0b8c1c969fb81be1b5d52ea4bab

SHA1
aa7d5a7a84f7a2b24d5177bfc147561964d0a250

SHA256
ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44

SHA512
4bb4313c268de141113f70a485b4af341ba4130329c4a9d1c734b2a1e0982e4f5da6097765bc7352bd5f7cf34f48b1b68f62d996144c5c7bd3153c0533d45b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.scr

Filesize
708KB

MD5
ecb6e0b8c1c969fb81be1b5d52ea4bab

SHA1
aa7d5a7a84f7a2b24d5177bfc147561964d0a250

SHA256
ce36e5e77d9501f5892c8d825104738ded2f9d7ab2074af51714e86c18894a44

SHA512
4bb4313c268de141113f70a485b4af341ba4130329c4a9d1c734b2a1e0982e4f5da6097765bc7352bd5f7cf34f48b1b68f62d996144c5c7bd3153c0533d45b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spotify\Spotify.vbs

Filesize
1024B

MD5
c8aec1dc4775b2f9bfb3944b596bcfa1

SHA1
5b6188ac37ab8b6a0ef4ffea82a284abc5d40898

SHA256
3fb9caeff6259d6131fc1b43d57d6409866ce5541313098d8471b694d7996264

SHA512
e350218d945b9b1166c0404cdc50930d9bc89391bc19f8eb562692394270543c02076d29db900b440c96110ac0d2c03a63335320d4da352730875c7c8dc82e4e

Download Submit
memory/364-167-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3224-152-0x00000000029B0000-0x00000000029B7000-memory.dmp

Filesize
28KB

Download
memory/3224-153-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmp

Filesize
2.0MB

Download
memory/3224-154-0x0000000077330000-0x00000000774D3000-memory.dmp

Filesize
1.6MB

Download
memory/4508-162-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmp

Filesize
2.0MB

Download
memory/4508-163-0x0000000077330000-0x00000000774D3000-memory.dmp

Filesize
1.6MB

Download
memory/4508-165-0x0000000077330000-0x00000000774D3000-memory.dmp

Filesize
1.6MB

Download
memory/4508-164-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/4508-156-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4508-155-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4600-134-0x0000000002190000-0x0000000002197000-memory.dmp

Filesize
28KB

Download
memory/4600-145-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmp

Filesize
2.0MB

Download
memory/4600-139-0x0000000077330000-0x00000000774D3000-memory.dmp

Filesize
1.6MB

Download
memory/4600-138-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmp

Filesize
2.0MB

Download
memory/4600-146-0x0000000077330000-0x00000000774D3000-memory.dmp

Filesize
1.6MB

Download
memory/4600-137-0x0000000002190000-0x0000000002197000-memory.dmp

Filesize
28KB

Download
memory/4600-136-0x0000000077330000-0x00000000774D3000-memory.dmp

Filesize
1.6MB

Download
memory/4600-135-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads